Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7452
Views
5
Helpful
3
Replies

Port forwarding for AnyConnect having an impact on IPSec

Go to solution
a.maldonado
Level 1
Level 1

‎09-10-2018 03:04 AM - edited ‎02-21-2020 09:27 PM

Is it possible to configure port forwarding in a Cisco router to allow AnyConnect clients to authenticate with the VPN server (ASA 10.0.0.1) while at the same time have IPSec VPNs terminating in the same router?

I configured:

ip nat inside source static udp 10.0.0.1 500 interface G0/2 500

But the problem I found is that the IPSec VPNs won't form because Phase 1 is forwarded to the ASA, which does not have any IKE or IPsec configuration and I dont want it anyway.

I thought I could use an ACL but I cannot find how?

I wonder if anyone has come across this same situation and if so, I will really appreciate any suggestions.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-10-2018 04:29 AM

Hi,
So you've got a router in front of the ASA is that correct? and that has a static NAT for the ASA?
You want to terminate IPSec VPN's on the router and remote access (via AnyConnect) on the ASA?

If you setup the remote access VPN on the ASA to use SSL-VPN (tcp/443 and udp/443) then you could port forward those ports to the ASA and leave udp/500 on the router for IPSec VPN's.

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎09-10-2018 04:29 AM

Hi,
So you've got a router in front of the ASA is that correct? and that has a static NAT for the ASA?
You want to terminate IPSec VPN's on the router and remote access (via AnyConnect) on the ASA?

If you setup the remote access VPN on the ASA to use SSL-VPN (tcp/443 and udp/443) then you could port forward those ports to the ASA and leave udp/500 on the router for IPSec VPN's.

HTH

Go to solution
a.maldonado
Level 1
Level 1
In response to Rob Ingram

‎09-10-2018 01:52 PM

Thank you RJI for your suggestion,

 

All your assumptions are correct. The ASA will be behind the router and the router will have the ISP connection.

 

I must admit I did think of what you suggested, and I also thought of connecting another firewall interface directly to the ISP solely for this purpose. But I did not follow it through because I am not sure of the drawbacks of implementing the SSL client approach instead of IKE.

 

We have already deployed the VPN AnyConnect client to all company staff, and they have been working with this client for some years now because the ASA is currently facing the ISP.

0 Helpful

Go to solution
a.maldonado
Level 1
Level 1
In response to Rob Ingram

‎10-02-2018 11:42 AM

Thank you all who tried to help me to resolve this problem.

So, my router facing the ISP must have the following two statements in order to forward the IKEv1 requests for connection to the VPN server, which is behind the router and once the client is authenticated and connected to browse the internal network, which has to be included in the ACL for splitTunnel.

ip nat inside source static udp 192.168.254.126 500 A.B.C.178 500 extendable
ip nat inside source static udp 192.168.254.126 4500 A.B.C.178 4500 extendable

I also thank the person who said I should use another public IP address from within the pool allocated to me by the ISp for the VPN remote connections. This way, my IPSecs terminating in A.B.C.179 would not be affected by the port forward statements, which was the first problem I faced.

0 Helpful
Customers Also Viewed These Support Documents